Mailing lists in the wild

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Mailing lists in the wild

Ryan Beethe
I am developing a milter application to enforce certain properties of
both header From and envelop From fields of emails, both outgoing and
incoming to my server.

While reading through recent traffic on this list I realized that my
current rules were too strict and would break basically all mailling
lists.  So I am re-writing my rules, and I would like feedback on how
these rules will fare "in the wild", by those of you with more
experience with mail servers than I have.

So, pending a rewrite, my smilter will reject mail (550) under the
following conditions:

 - Mail with unparsable header From or Sender
 - SASL-auth'd mail w/ hdr From addr not controlled by user
 - Non-SASL mail w/ env From matching my domain
 - Non-SASL mail w/ Sender matching my domain
 - Non-SASL mail w/o Sender: and hdr From matching my domain

Looking at the headers from mailing lists I am a part of... These should
work fine for the mailing lists I am currently subscribed to, but I am
interested in feedback from other Postfix admins.

Ryan
Reply | Threaded
Open this post in threaded view
|

Re: Mailing lists in the wild

robacons
Ryan,

Looking at your 'conditions', what you're trying to do looks like its already handled by an existing milter

https://www.benzedrine.ch/milter-regex.html

How are your requirements different than what that provides?

Rob

On Fri, Aug 24, 2018, at 11:42 AM, Ryan Beethe wrote:

> I am developing a milter application to enforce certain properties of
> both header From and envelop From fields of emails, both outgoing and
> incoming to my server.
>
> While reading through recent traffic on this list I realized that my
> current rules were too strict and would break basically all mailling
> lists.  So I am re-writing my rules, and I would like feedback on how
> these rules will fare "in the wild", by those of you with more
> experience with mail servers than I have.
>
> So, pending a rewrite, my smilter will reject mail (550) under the
> following conditions:
>
>  - Mail with unparsable header From or Sender
>  - SASL-auth'd mail w/ hdr From addr not controlled by user
>  - Non-SASL mail w/ env From matching my domain
>  - Non-SASL mail w/ Sender matching my domain
>  - Non-SASL mail w/o Sender: and hdr From matching my domain
>
> Looking at the headers from mailing lists I am a part of... These should
> work fine for the mailing lists I am currently subscribed to, but I am
> interested in feedback from other Postfix admins.
>
> Ryan
Reply | Threaded
Open this post in threaded view
|

Re: Mailing lists in the wild

Ryan Beethe
In reply to this post by Ryan Beethe
On Fri, Aug 24, 2018 at 02:51:08PM -0400, Andrew Sullivan wrote:
> This feels like you are reinventing DMARC or maybe DKIM and needing to
> invent ARC to solve the problem with mailing lists.  Have you looked
> at those systems?
>
> A

I had not looked at ARC, but if I am not mistaken... isn't ARC something
that a mailing list server needs to support, which is something I
wouldn't have any control over, right?  I don't see how that would help
me for filtering on my end.

Also it is my understanding that SPF and DKIM suffer the same issues...
if the mailing list is configured incorrectly then when I receive an
email from a list it won't pass SPF and/or DKIM.

In my mind my tool is different because I *know* how my server is set up
and I'm trying to block messages that I know are invalid based on that
knowledge.  But I'm asking the list because I recognize my knowledge is
incomplete...

Ryan
Reply | Threaded
Open this post in threaded view
|

Re: Mailing lists in the wild

Ryan Beethe
In reply to this post by robacons
> Looking at your 'conditions', what you're trying to do looks like its
> already handled by an existing milter
>
> https://www.benzedrine.ch/milter-regex.html
>
> How are your requirements different than what that provides?

Indeed, it looks like I could implement the requirements I am using with
milter-regex, but the additional requirement that I did not list was
that SASL-authenticated mail with a header From matching the alias of a
user should be modified so that the envelope from also matches that
alias.

Otherwise I observered that I could send email from an alias via
Thunderbird, but my envelope from was giving away my real email address.
In fact, this was the original reason for writing my own milter, and the
other requirements were easy enough to enforce at the same time.  I'm
using largely regex anyway, with a combination of some SQL lookups for
checking aliases against SASL usernames.

Ryan
Reply | Threaded
Open this post in threaded view
|

Re: Mailing lists in the wild

Benny Pedersen-2
In reply to this post by Ryan Beethe
Ryan Beethe skrev den 2018-08-24 21:22:

> Also it is my understanding that SPF and DKIM suffer the same issues...
> if the mailing list is configured incorrectly then when I receive an
> email from a list it won't pass SPF and/or DKIM.

incorrect, spf changes from the sending server, dkim is valid if
maillist did not break it, sadly many mailllists do break dkim, and on
top of that now openarc comes as a fixer for breaking dkim

sadly

postfix mailllist does not break dkim

so you should see dmarc pass from me

note: i see stats that it seems break on postfix maillist for some
reason, if some will tell me why i like to know
Reply | Threaded
Open this post in threaded view
|

Re: Mailing lists in the wild

Ryan Beethe
In reply to this post by Ryan Beethe
On Fri, Aug 24, 2018 at 04:36:28PM -0400, Andrew Sullivan wrote:

> On Fri, Aug 24, 2018 at 02:10:00PM -0500, Ryan Beethe wrote:
> > Also it is my understanding that SPF and DKIM suffer the same
> > issues...  if the mailing list is configured incorrectly then when I
> > receive an email from a list it won't pass SPF and/or DKIM.
>
> The ways stuff breaks differs depending on the SPF and DKIM
> arrangement.  DMARC was an attempt to wed these two technologies in a
> deployable way, and in fact it broke every mailing list
> automatically.  But since the Big Guys wanted it, that's what we got
> anyway.  So it isn't so much the list that is broken, but the approach.
>
> Basically, an infrastructure that depends on the ability to connect
> people with no pre-existing relationship through arbitrary
> intermediate points cannot work unless the abuse potential is opened
> unacceptably wide.  :(

That all makes sense.

So now I think I understand that, of the following three steps I listed
initially:

 - Non-SASL mail w/ env From matching my domain
 - Non-SASL mail w/ Sender matching my domain
 - Non-SASL mail w/o Sender: and hdr From matching my domain

the first of those would be covered by SPF, since I'm in control of my
own SPF policy.

But the other two would not be affected by SPF at all, and in general
are not redundant, because DKIM is going to be broken for a lot of
incoming mailing list mail, but the rules I have would still apply.

So I still have this question: would the last two rules listed above
play nice with mailing lists in general?  Is there an appreciable
contingent of mailing lists which don't list themselves in either the
From OR the Sender?  I think that would be the only problem.

Ryan